* [PATCH nft 0/2] netfilter: nf_tables: Use rcu lock to enhance protection of the lists @ 2024-04-07 6:56 Ziyang Xuan 2024-04-07 6:56 ` [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Ziyang Xuan 2024-04-07 6:56 ` [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Ziyang Xuan 0 siblings, 2 replies; 5+ messages in thread From: Ziyang Xuan @ 2024-04-07 6:56 UTC (permalink / raw) To: pablo, kadlec, netfilter-devel; +Cc: fw nf_tables_expressions and nf_tables_objects lists can be concurrent between type lookup and module unloading process. But there is not any protection in type lookup process. Therefore, there is pertential data-race of the lists entry. Use rcu lock to enhance protection of the lists. Ziyang Xuan (2): netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() net/netfilter/nf_tables_api.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() 2024-04-07 6:56 [PATCH nft 0/2] netfilter: nf_tables: Use rcu lock to enhance protection of the lists Ziyang Xuan @ 2024-04-07 6:56 ` Ziyang Xuan 2024-04-11 10:04 ` Pablo Neira Ayuso 2024-04-07 6:56 ` [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Ziyang Xuan 1 sibling, 1 reply; 5+ messages in thread From: Ziyang Xuan @ 2024-04-07 6:56 UTC (permalink / raw) To: pablo, kadlec, netfilter-devel; +Cc: fw nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is pertential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process. Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- net/netfilter/nf_tables_api.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 47e1a22e8fb1..646d59685cfd 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3056,7 +3056,7 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family, { const struct nft_expr_type *type, *candidate = NULL; - list_for_each_entry(type, &nf_tables_expressions, list) { + list_for_each_entry_rcu(type, &nf_tables_expressions, list) { if (!nla_strcmp(nla, type->name)) { if (!type->family && !candidate) candidate = type; @@ -3088,9 +3088,13 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, if (nla == NULL) return ERR_PTR(-EINVAL); + rcu_read_lock(); type = __nft_expr_type_get(family, nla); - if (type != NULL && try_module_get(type->owner)) + if (type != NULL && try_module_get(type->owner)) { + rcu_read_unlock(); return type; + } + rcu_read_unlock(); lockdep_nfnl_nft_mutex_not_held(); #ifdef CONFIG_MODULES -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() 2024-04-07 6:56 ` [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Ziyang Xuan @ 2024-04-11 10:04 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2024-04-11 10:04 UTC (permalink / raw) To: Ziyang Xuan; +Cc: kadlec, netfilter-devel, fw On Sun, Apr 07, 2024 at 02:56:04PM +0800, Ziyang Xuan wrote: > nft_unregister_expr() can concurrent with __nft_expr_type_get(), > and there is not any protection when iterate over nf_tables_expressions > list in __nft_expr_type_get(). Therefore, there is pertential > data-race of nf_tables_expressions list entry. > > Use list_for_each_entry_rcu() to iterate over nf_tables_expressions > list in __nft_expr_type_get(), and use rcu_read_lock() in the caller > nft_expr_type_get() to protect the entire type query process. Applied to nf, thanks ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() 2024-04-07 6:56 [PATCH nft 0/2] netfilter: nf_tables: Use rcu lock to enhance protection of the lists Ziyang Xuan 2024-04-07 6:56 ` [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Ziyang Xuan @ 2024-04-07 6:56 ` Ziyang Xuan 2024-04-11 10:05 ` Pablo Neira Ayuso 1 sibling, 1 reply; 5+ messages in thread From: Ziyang Xuan @ 2024-04-07 6:56 UTC (permalink / raw) To: pablo, kadlec, netfilter-devel; +Cc: fw nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is pertential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- net/netfilter/nf_tables_api.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 646d59685cfd..70fe0ca24d34 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -7607,7 +7607,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) { const struct nft_object_type *type; - list_for_each_entry(type, &nf_tables_objects, list) { + list_for_each_entry_rcu(type, &nf_tables_objects, list) { if (type->family != NFPROTO_UNSPEC && type->family != family) continue; @@ -7623,9 +7623,13 @@ nft_obj_type_get(struct net *net, u32 objtype, u8 family) { const struct nft_object_type *type; + rcu_read_lock(); type = __nft_obj_type_get(objtype, family); - if (type != NULL && try_module_get(type->owner)) + if (type != NULL && try_module_get(type->owner)) { + rcu_read_unlock(); return type; + } + rcu_read_unlock(); lockdep_nfnl_nft_mutex_not_held(); #ifdef CONFIG_MODULES -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() 2024-04-07 6:56 ` [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Ziyang Xuan @ 2024-04-11 10:05 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2024-04-11 10:05 UTC (permalink / raw) To: Ziyang Xuan; +Cc: kadlec, netfilter-devel, fw On Sun, Apr 07, 2024 at 02:56:05PM +0800, Ziyang Xuan wrote: > nft_unregister_obj() can concurrent with __nft_obj_type_get(), > and there is not any protection when iterate over nf_tables_objects > list in __nft_obj_type_get(). Therefore, there is pertential > data-race of nf_tables_objects list entry. > > Use list_for_each_entry_rcu() to iterate over nf_tables_objects > list in __nft_obj_type_get(), and use rcu_read_lock() in the caller > nft_obj_type_get() to protect the entire type query process. Also applied, thanks > Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects") > Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> > --- > net/netfilter/nf_tables_api.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 646d59685cfd..70fe0ca24d34 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -7607,7 +7607,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) > { > const struct nft_object_type *type; > > - list_for_each_entry(type, &nf_tables_objects, list) { > + list_for_each_entry_rcu(type, &nf_tables_objects, list) { > if (type->family != NFPROTO_UNSPEC && > type->family != family) > continue; > @@ -7623,9 +7623,13 @@ nft_obj_type_get(struct net *net, u32 objtype, u8 family) > { > const struct nft_object_type *type; > > + rcu_read_lock(); > type = __nft_obj_type_get(objtype, family); > - if (type != NULL && try_module_get(type->owner)) > + if (type != NULL && try_module_get(type->owner)) { > + rcu_read_unlock(); > return type; > + } > + rcu_read_unlock(); > > lockdep_nfnl_nft_mutex_not_held(); > #ifdef CONFIG_MODULES > -- > 2.25.1 > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-11 10:05 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-07 6:56 [PATCH nft 0/2] netfilter: nf_tables: Use rcu lock to enhance protection of the lists Ziyang Xuan 2024-04-07 6:56 ` [PATCH nft 1/2] netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() Ziyang Xuan 2024-04-11 10:04 ` Pablo Neira Ayuso 2024-04-07 6:56 ` [PATCH nft 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Ziyang Xuan 2024-04-11 10:05 ` Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.